Password generator updates "generated" passwords based on user input in the same form
Categories
(Toolkit :: Password Manager, defect)
Tracking
()
People
(Reporter: ct202stu1s10, Unassigned)
Details
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:78.0) Gecko/20100101 Firefox/78.0
Steps to reproduce:
Today I was using Firefox's password generator to create new passwords for multiple email accounts at aol.com.
I logged into an existing aol.com account to change the password. I used Firefox's password generator.
The generated password was fine (different from all my others) and I accepted it. **
Then I logged into a different aol.com account to change the password. Again I used Firefox's password generator.
However I immediately noticed that this password was identical to the password generated for the first account!
I simply modified the password and accepted it. **
Then I logged into a THIRD aol.com account to change the password. Again I used Firefox's password generator.
However THIS suggested password was identical to the 2nd (with my hand-typed modifications included).
As before, I modified the suggested 2nd password to make it unique, and accepted that as my 3rd password. **
** NOTE. After each change, I tested the new password: I logged out of my AOL account, then back in using the new password. Each time, Firefox showed me the username-password-update dialog and asked if I wanted to Update my saved password, and I clicked Update.
To confirm this bug, I repeated the procedure one more time (while typing this bug report): I entered AOL's change-password screen, brought up Firefox's password generator, and surprise surprise, my 3rd password (the one I accepted earlier) was visible in clear text.
(Version: Earlier today I upgraded to Firefox 78.6.0esr for macOS.
I have used Firefox's password generator before, but not (until today) to create multiple passwords in a single Firefox session.)
Actual results:
See narrative above.
Expected results:
Password Generator should of course be giving a different password each time.
Need I mention that this is a serious SECURITY issue: Anyone I share this computer with could come along later to change a password on his own account AND SEE THE PASSWORD I LAST CREATED -- as demonstrated above, where (while changing the password on my 3rd account) the Password Generator suggested the password I created previously by hand for my 2nd account.
Additional Symptom: The persistent password recommendation appears to be one-per-domain.
Concrete Example: Later I changed one of my Gmail passwords. Password Generator gave a good, unique password.
However when I tried to change the password of a SECOND Gmail account, Password Generator gave the same password I accepted for my 1st Gmail account. (!)
Then I tried AOL again: When I tried to change a password for another AOL account, Password Generator again suggested the 4th AOL password from above.
|
||
Comment 2•5 years ago
|
||
(In reply to WireWox from comment #0)
Need I mention that this is a serious SECURITY issue: Anyone I share this computer with could come along later to change a password on his own account AND SEE THE PASSWORD I LAST CREATED
If you're sharing a computer and saved your password, then yes, anyone sharing the computer can see that password - but that's because you saved it, it has nothing to do with password generation. Don't share your computer with people you don't trust (use a different computer, or at least a different OS user account, or failing that, set a primary password.
In terms of password generation, Firefox will generate the same password for a given site in a given session. If you quit and reopen Firefox, it will generate a new password. If you go to a different site in the same session, it will generate a different password. We already have bug 1569568 to give users the option of generating a unique password when using password generation more than once on the same site in the same session.
However, this bug seems to be slightly different: altering the password in the password field after it has been generated, updates the "generated" password that Firefox keeps for that site. I don't know why that is happening - it feels like an odd thing to do. Sam, can you clarify?
|
||
Comment 3•5 years ago
|
||
(In reply to :Gijs (he/him) from comment #2)
However, this bug seems to be slightly different: altering the password in the password field after it has been generated, updates the "generated" password that Firefox keeps for that site. I don't know why that is happening - it feels like an odd thing to do. Sam, can you clarify?
We allow users to update/edit a generated password e.g. to add a symbol or change characters to meet whatever the site's password requirements are. If the value is changed entirely (i.e. the user clears the field and types something else) we treat that as a new (not generated) password. Otherwise, we continue to identify that password as the "generated" password for that site. That is important for flows where the user needs to confirm that password on a different screen and the user hasn't explicitly saved this new login yet.
Bug 1551723 is a possible dupe - that would allows the user to generate a fresh password on the same origin, which feels like the solution here also?
|
|
||
Comment 4•5 years ago
|
||
It looks like Bug 1551723 would address the issue here. It would allow us to both indicate to the user that the same generated password is being updated, and provide a way to choose that a new password to be used.
|
||
Updated•1 year ago
|
Description
•